Authentificate before getting access to gameserver
We are in the state of implementing some sort of gaming area in a MAN. I will try to explain to the best I can and the see if someone could give me a hinter where to go from here.
Today we have a large Metro Area Network. We have around 16000 ports connected.
The users can plug into the network jack and get by default a 10.x.x.x/8 adress. With this adress they are able to connect to the city portal. Once there they will be able to create a account. When they login with the newly created account they will recive release the 10 adress and get a new 172.16.x.x/16 adress. Now from that portal they get som new policys, some policys says they get a route to access some City information and some other town related subjects. From here they can also choose from around 10 different ISP to get internet/ip tele and such things from.
In the "default" policy they will be routed to outer DC with a default VLAN 3211 and the network 94.x.x.x/27 where our game servers and our "own game portal" resides.
We are trying to figure out a way to only let authentificated users get access to the game servers. Like, the users signs up in our "town community game center". When they are validated they will have access to connect to the game servers. Non vailidated user should be able so connect to our game portal, but not be able to connect to the game servers.
But since the net is default routed to our network they could just do a our.network:27015 and connect to the servers, the servers donīt have any means of authentificate the users.
Any ide on aproach here?
Any hints, thoughts or whacky ideas is most appriciated.
Last edited by dukka; 23rd January 2010 at 08:33 PM.
Depending on your routing setup, which I imagine is quite impressive given the size of the network this should be reasonably easy.
You can do this by applying ACLs on the route boundries so long as your Game server is on a defferent subnet or passes through a router. What you would do is apply an ACL (access control list) on all traffic comming into the game server from the router. The ACL would allow whatever ports you need for information if you were comming off the 10.x.x.x network but no others. If the traffic was comming off the 172.16.x.x network then you would let through the actual game server ports.
You should be able to do this with Cisco routing gear and layer4 ACLs. Depending on the traffic patterns you could use an outbound filter instead on the other side of the router so that all traffic entering from the 10.x.x.x network is checked and filtered if heading to the game server.
As the server is avalible from both networks and is on a different subnet this should work fine. I would suggest testing this beforehand though as ACLs can be tricky and if applied wrongly can bog down router hardware and slow traffic flow. You want to use the least prosessing intensive method so put it on the interface that is closest to the server so that only the minimum of traffic gets hit by the filter.
Depending on the traffic and your existing hardware I would suggest trying to make sure that the ACL is applied on a layer3/4 switch because this will be vastly more efficient and much quicker than all but the top end routers with l4 switching accelerators built in. Givenn the size and complexity of your network you most probably know all this already but it pays to be overinformative than vague.
I will try to be a little clearer. When using the first 10.x net the users can only connect to the portal (Juniper ERX). So they create the account and logon. They recive the 172. But what I was meaning is that even though all "portal active" users can connect to the 94.x network. It should only be those that has a valid account on the Game portal, that will be a Apache,Mysql based BSD box. Like stated I could solve this with the ACL if it was mear the network part. But here comes the tricky also validitaing acces againts a mysql db, and when that turns out ok i will let them trough. My though was that perpahs implement a radius solution agains the mysqldb and move the game servers to another /27 net.
And yes it's a large extreme networks/Juniper network with 10Gbit in whole backbone